May 25th sees the implementation of a new piece of EU regulation – the General Data Protection Regulation (GDPR).
Any business should currently be working in accordance with the Data Protection Act 1998, where any personal data is used or collected. There are similarities between the GDPR and the DPA, but this new regulation has some additional requirements that will need to be addressed. So, what are these requirements and what does your business need to do to ensure you’re ready for May 25th?
New requirements for data controllers and processors
This new data regulation is applicable to data controllers and data processors. A data controller could be the Operations Director or Marketing Manager and the data processor could be the personal assistant, operations executive, administration assistant, IT consultant, or anyone who acts on the processor’s behalf.
Data processed within a business environment will include names, addresses, email addresses, payment details, and photos, all of which will be considered personal data, as will any social media interactions you may have with clients.
Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:
- Penalties – Breaches of the GDPR can result in a fine of up to €20 million or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations. A company can also be fined up to 2% for less serious breaches.
- Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.
- Breach notifications – The relevant regulatory authority will need to be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the “rights and freedoms of individuals”.
- Right to access – Data subjects (clients/customers/contacts) have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose. The controller is obliged to provide a free electronic copy of any personal data being held.
- Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.
- Data protection officers – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the “regular and systematic monitoring of data subjects on a large scale”, or if the company is a public authority.
More information on all changes and requirements, including the full criteria for DPO appointments, can be found HERE.
What about Brexit – do I still need to prepare for the GDPR?
The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside of the EU will also need to comply with the regulation if they provide services to people residing in the EU.
How do I assess my business for compliance?
For business managers who are unsure how compliant their businesses are, the ICO has a useful self-assessment toolkit.
What happens if my business does not comply?
The GDPR came into effect last year, but will be enforced on 25th May 2018. Non-compliance could result in a fine of up to 4%, so it is crucial to take a look at your data management policies and procedures to ensure that you comply with the regulations.
Data protection at Designated PA
Designated Group, including Designated PA, is committed to protecting client’s privacy and conducts all work in line with the Data Protection Act 1998. We work closely with clients to ensure that data protection laws are adhered to, and all data is stored securely and is encrypted when necessary.